9 files changed, 78 insertions, 42 deletions

diff --git a/ossfuzz/Makefile b/ossfuzz/Makefile
index 6875eb6..7e043a1 100644
--- a/ossfuzz/Makefile
+++ b/ossfuzz/Makefile
@@ -58,7 +58,7 @@ $(LZ4DIR)/liblz4.a:
 	$(CC) -c $(LZ4_CFLAGS) $(LZ4_CPPFLAGS) $< -o $@
 
 # Generic rule for generating fuzzers
-%_fuzzer: %_fuzzer.o lz4_helpers.o $(LZ4DIR)/liblz4.a
+%_fuzzer: %_fuzzer.o lz4_helpers.o fuzz_data_producer.o $(LZ4DIR)/liblz4.a
 	# Compile the standalone code just in case. The OSS-Fuzz code might
 	# override the LIB_FUZZING_ENGINE value to "-fsanitize=fuzzer"
 	$(CC) -c $(LZ4_CFLAGS) $(LZ4_CPPFLAGS) standaloneengine.c -o standaloneengine.o
diff --git a/ossfuzz/compress_frame_fuzzer.c b/ossfuzz/compress_frame_fuzzer.c
index 75c609f..344917a 100644
--- a/ossfuzz/compress_frame_fuzzer.c
+++ b/ossfuzz/compress_frame_fuzzer.c
@@ -10,12 +10,14 @@
 #include <string.h>
 
 #include "fuzz_helpers.h"
+#include "fuzz_data_producer.h"
 #include "lz4.h"
 #include "lz4frame.h"
 #include "lz4_helpers.h"
 
 int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size)
 {
+    FUZZ_dataProducer_t *producer = FUZZ_dataProducer_create(data, size);
     uint32_t seed = FUZZ_seed(&data, &size);
     LZ4F_preferences_t const prefs = FUZZ_randomPreferences(&seed);
     size_t const compressBound = LZ4F_compressFrameBound(size, &prefs);
diff --git a/ossfuzz/compress_fuzzer.c b/ossfuzz/compress_fuzzer.c
index 7021624..42efbd3 100644
--- a/ossfuzz/compress_fuzzer.c
+++ b/ossfuzz/compress_fuzzer.c
@@ -10,15 +10,20 @@
 #include <string.h>
 
 #include "fuzz_helpers.h"
+#include "fuzz_data_producer.h"
 #include "lz4.h"
 
 int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size)
 {
-    uint32_t seed = FUZZ_seed(&data, &size);
-    size_t const dstCapacity = FUZZ_rand32(&seed, 0, LZ4_compressBound(size));
+    FUZZ_dataProducer_t *producer = FUZZ_dataProducer_create(data, size);
+    size_t const dstCapacity = FUZZ_dataProducer_uint32(
+      producer, 0, LZ4_compressBound(size));
     char* const dst = (char*)malloc(dstCapacity);
     char* const rt = (char*)malloc(size);
 
+    /* Restrict to remaining data from producer */
+    size = producer->size;
+
     FUZZ_ASSERT(dst);
     FUZZ_ASSERT(rt);
 
@@ -46,6 +51,7 @@ int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size)
 
     free(dst);
     free(rt);
+    FUZZ_dataProducer_free(producer);
 
     return 0;
 }
diff --git a/ossfuzz/compress_hc_fuzzer.c b/ossfuzz/compress_hc_fuzzer.c
index 4841367..f06f6dd 100644
--- a/ossfuzz/compress_hc_fuzzer.c
+++ b/ossfuzz/compress_hc_fuzzer.c
@@ -10,16 +10,22 @@
 #include <string.h>
 
 #include "fuzz_helpers.h"
+#include "fuzz_data_producer.h"
 #include "lz4.h"
 #include "lz4hc.h"
 
 int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size)
 {
-    uint32_t seed = FUZZ_seed(&data, &size);
-    size_t const dstCapacity = FUZZ_rand32(&seed, 0, LZ4_compressBound(size));
+    FUZZ_dataProducer_t *producer = FUZZ_dataProducer_create(data, size);
+    size_t const dstCapacity = FUZZ_dataProducer_uint32(
+      producer, 0, LZ4_compressBound(size));
     char* const dst = (char*)malloc(dstCapacity);
     char* const rt = (char*)malloc(size);
-    int const level = FUZZ_rand32(&seed, LZ4HC_CLEVEL_MIN, LZ4HC_CLEVEL_MAX);
+    int const level = FUZZ_dataProducer_uint32(
+      producer, LZ4HC_CLEVEL_MIN, LZ4HC_CLEVEL_MAX);
+
+    /* Restrict to remaining data from producer */
+    size = producer->size;
 
     FUZZ_ASSERT(dst);
     FUZZ_ASSERT(rt);
@@ -52,6 +58,7 @@ int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size)
 
     free(dst);
     free(rt);
+    FUZZ_dataProducer_free(producer);
 
     return 0;
 }
diff --git a/ossfuzz/decompress_frame_fuzzer.c b/ossfuzz/decompress_frame_fuzzer.c
index bda25b0..4c8ac39 100644
--- a/ossfuzz/decompress_frame_fuzzer.c
+++ b/ossfuzz/decompress_frame_fuzzer.c
@@ -9,6 +9,7 @@
 #include <string.h>
 
 #include "fuzz_helpers.h"
+#include "fuzz_data_producer.h"
 #include "lz4.h"
 #define LZ4F_STATIC_LINKING_ONLY
 #include "lz4frame.h"
@@ -29,17 +30,21 @@ static void decompress(LZ4F_dctx* dctx, void* dst, size_t dstCapacity,
 
 int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size)
 {
-
-    uint32_t seed = FUZZ_seed(&data, &size);
-    size_t const dstCapacity = FUZZ_rand32(&seed, 0, 4 * size);
+    FUZZ_dataProducer_t *producer = FUZZ_dataProducer_create(data, size);
+    size_t const dstCapacity = FUZZ_dataProducer_uint32(
+      producer, 0, 4 * size);
     size_t const largeDictSize = 64 * 1024;
-    size_t const dictSize = FUZZ_rand32(&seed, 0, largeDictSize);
+    size_t const dictSize = FUZZ_dataProducer_uint32(
+      producer, 0, largeDictSize);
     char* const dst = (char*)malloc(dstCapacity);
     char* const dict = (char*)malloc(dictSize);
     LZ4F_decompressOptions_t opts;
     LZ4F_dctx* dctx;
     LZ4F_createDecompressionContext(&dctx, LZ4F_VERSION);
 
+    /* Restrict to remaining data from producer */
+    size = producer->size;
+
     FUZZ_ASSERT(dctx);
     FUZZ_ASSERT(dst);
     FUZZ_ASSERT(dict);
@@ -62,6 +67,7 @@ int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size)
     LZ4F_freeDecompressionContext(dctx);
     free(dst);
     free(dict);
+    FUZZ_dataProducer_free(producer);
 
     return 0;
 }
diff --git a/ossfuzz/decompress_fuzzer.c b/ossfuzz/decompress_fuzzer.c
index 49f71b0..ae03ba9 100644
--- a/ossfuzz/decompress_fuzzer.c
+++ b/ossfuzz/decompress_fuzzer.c
@@ -15,7 +15,8 @@
 int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size)
 {
     FUZZ_dataProducer_t *producer = FUZZ_dataProducer_create(data, size);
-    size_t const dstCapacity = FUZZ_dataProducer_uint32(producer, 0, 4 * size);
+    size_t const dstCapacity = FUZZ_dataProducer_uint32(
+      producer, 0, 4 * size);
     size_t const smallDictSize = size + 1;
     size_t const largeDictSize = 64 * 1024 - 1;
     size_t const dictSize = MAX(smallDictSize, largeDictSize);
diff --git a/ossfuzz/fuzz_data_producer.c b/ossfuzz/fuzz_data_producer.c
new file mode 100644
index 0000000..ae07575
--- /dev/null
+++ b/ossfuzz/fuzz_data_producer.c
@@ -0,0 +1,32 @@
+#include "fuzz_data_producer.h"
+
+FUZZ_dataProducer_t *FUZZ_dataProducer_create(const uint8_t *data, size_t size) {
+  FUZZ_dataProducer_t *producer = malloc(sizeof(FUZZ_dataProducer_t));
+  producer->data = data;
+  producer->size = size;
+  return producer;
+}
+
+void FUZZ_dataProducer_free(FUZZ_dataProducer_t *producer) { free(producer); }
+
+uint32_t FUZZ_dataProducer_uint32(FUZZ_dataProducer_t *producer, uint32_t min,
+                                  uint32_t max) {
+  FUZZ_ASSERT(min <= max);
+
+  uint32_t range = max - min;
+  uint32_t rolling = range;
+  uint32_t result = 0;
+
+  while (rolling > 0 && producer->size > 0) {
+    uint8_t next = *(producer->data + producer->size - 1);
+    producer->size -= 1;
+    result = (result << 8) | next;
+    rolling >>= 8;
+  }
+
+  if (range == 0xffffffff) {
+    return result;
+  }
+
+  return min + result % (range + 1);
+}
diff --git a/ossfuzz/fuzz_data_producer.h b/ossfuzz/fuzz_data_producer.h
index 6c4ef8a..389ec2a 100644
--- a/ossfuzz/fuzz_data_producer.h
+++ b/ossfuzz/fuzz_data_producer.h
@@ -3,40 +3,16 @@
 #include <stdio.h>
 #include <stdlib.h>
 
+#include "fuzz_helpers.h"
+
 typedef struct {
   const uint8_t *data;
   size_t size;
 } FUZZ_dataProducer_t;
 
-FUZZ_dataProducer_t *FUZZ_dataProducer_create(const uint8_t *data, size_t size) {
-  FUZZ_dataProducer_t *producer = malloc(sizeof(FUZZ_dataProducer_t));
-  producer->data = data;
-  producer->size = size;
-  return producer;
-}
+FUZZ_dataProducer_t *FUZZ_dataProducer_create(const uint8_t *data, size_t size);
 
-void FUZZ_dataProducer_free(FUZZ_dataProducer_t *producer) { free(producer); }
+void FUZZ_dataProducer_free(FUZZ_dataProducer_t *producer);
 
 uint32_t FUZZ_dataProducer_uint32(FUZZ_dataProducer_t *producer, uint32_t min,
-                                  uint32_t max) {
-  if (min > max) {
-    return 0;
-  }
-
-  uint32_t range = max - min;
-  uint32_t rolling = range;
-  uint32_t result = 0;
-
-  while (rolling > 0 && producer->size > 0) {
-    uint8_t next = *(producer->data + producer->size - 1);
-    producer->size -= 1;
-    result = (result << 8) | next;
-    rolling >>= 8;
-  }
-
-  if (range == 0xffffffff) {
-    return result;
-  }
-
-  return min + result % (range + 1);
-}
+                                  uint32_t max);
diff --git a/ossfuzz/round_trip_hc_fuzzer.c b/ossfuzz/round_trip_hc_fuzzer.c
index 325cdf0..22b5e8f 100644
--- a/ossfuzz/round_trip_hc_fuzzer.c
+++ b/ossfuzz/round_trip_hc_fuzzer.c
@@ -9,16 +9,21 @@
 #include <string.h>
 
 #include "fuzz_helpers.h"
+#include "fuzz_data_producer.h"
 #include "lz4.h"
 #include "lz4hc.h"
 
 int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size)
 {
-    uint32_t seed = FUZZ_seed(&data, &size);
+    FUZZ_dataProducer_t *producer = FUZZ_dataProducer_create(data, size);
     size_t const dstCapacity = LZ4_compressBound(size);
     char* const dst = (char*)malloc(dstCapacity);
     char* const rt = (char*)malloc(size);
-    int const level = FUZZ_rand32(&seed, LZ4HC_CLEVEL_MIN, LZ4HC_CLEVEL_MAX);
+    int const level = FUZZ_dataProducer_uint32(
+      producer, LZ4HC_CLEVEL_MIN, LZ4HC_CLEVEL_MAX);
+
+    /* Restrict to remaining data from producer */
+    size = producer->size;
 
     FUZZ_ASSERT(dst);
     FUZZ_ASSERT(rt);
@@ -34,6 +39,7 @@ int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size)
 
     free(dst);
     free(rt);
+    FUZZ_dataProducer_free(producer);
 
     return 0;
 }